APT threat landscape in the energy sector
The energy sector is one of the most frequent targets of Advanced Persistent Threat (APT) groups worldwide. Unlike financially motivated cybercriminals, state-sponsored APT groups attack energy infrastructure as part of geopolitical strategy — to demonstrate offensive capabilities, exert political pressure, or prepare the ground for military operations.
In 2025, CERT Poland recorded a record number of incidents related to APT activity in the Polish energy sector. The DynoWiper attack in December 2025 was the culmination of a trend building for years, but not the only example of systematic targeting of Polish critical infrastructure.
Major APT groups targeting energy
Sandworm (GRU, Unit 74455)
Sandworm is the most destructive APT group in energy sector history. Responsible for BlackEnergy (2015), Industroyer (2016), NotPetya (2017), and Industroyer2 (2022). They specialize in attacks on European energy infrastructure using dedicated OT malware.
Sandworm tactics include spear-phishing with energy industry-related documents, exploitation of internet-facing servers and VPNs as initial access points, lateral movement through Active Directory to OT networks, deployment of dedicated malware manipulating energy protocols (IEC 104, IEC 61850), and coordination of cyber attacks with physical operations.
Volt Typhoon
A Chinese APT group focused on pre-positioning in Western nations’ critical infrastructure — including energy. Unlike Sandworm, Volt Typhoon avoids destruction, concentrating on maintaining long-term access.
Their living-off-the-land (LoTL) technique exclusively uses legitimate system tools (PowerShell, WMI, netsh), making their activity exceptionally difficult to detect with traditional security systems. They target edge devices — routers, firewalls, VPNs — as entry points.
XENOTIME (Triton/TRISIS)
The only known APT group to directly attack Safety Instrumented Systems (SIS). In 2017, their Triton malware targeted Schneider Electric Triconex controllers at a Saudi petrochemical facility, attempting to disable safety systems, which could have led to a physical catastrophe.
APT kill chain for energy infrastructure
APT attacks on the energy sector proceed in carefully planned phases, often spanning months or years.
Phase 1: Reconnaissance (weeks-months). Mapping the target’s IT and OT infrastructure using OSINT. Identifying SCADA systems, controller manufacturers, firmware versions. Analyzing employee profiles on LinkedIn, particularly OT engineers and system operators. Monitoring public tenders for automation systems.
Phase 2: Initial access (days-weeks). Spear-phishing targeting OT engineers with industry-relevant attachments. Exploiting vulnerabilities in VPN systems, email servers, or vendor portals. Compromising software or firmware suppliers (supply chain). Watering hole attacks on industry forums and OT equipment manufacturer websites.
Phase 3: Persistence and escalation (weeks-months). Installing backdoors in the corporate IT network. Privilege escalation to domain administrator level. Stealing VPN and jump server credentials for OT network access. Mapping OT network topology — identifying controllers, engineering workstations, historians.
Phase 4: Lateral movement IT→OT (weeks). Crossing the industrial DMZ by exploiting segmentation weaknesses. Accessing HMI/EWS engineering workstations. Obtaining controller programming software (e.g., Siemens TIA Portal, ABB Ability). Testing manipulation on disconnected laboratory controllers.
Phase 5: Actions on objectives (mission-dependent). Destruction (wiperware, process manipulation), espionage (infrastructure data exfiltration), pre-positioning (maintaining covert access), or sabotage (manipulating operating parameters to cause physical failures).
Detecting APT in energy environments
Detecting APT in energy networks requires a specialized approach combining IT and OT monitoring.
OT traffic monitoring using tools that understand industrial protocols (Modbus, DNP3, IEC 104, OPC UA). Baselining normal controller communication and detecting anomalies — unauthorized write commands, new connections, unusual traffic patterns.
Threat hunting in IT and OT logs. Searching for indicators of compromise (IoC) linked to known APT groups. Behavioral analysis of privileged accounts — logins at unusual times, access to unusual resources. Cross-source event correlation — firewall, AD, OT servers, controller logs.
OT honeypots — deploying fake PLC controllers and HMI stations in the OT network as decoys. Any communication attempt with them is an unambiguous indicator of compromise, as no legitimate system should connect to them.
Threat intelligence — subscribing to IoC feeds dedicated to the energy sector (ICS-CERT, Dragos WorldView, CERT). Automatic correlation with observed network traffic.
Defense strategies against APT
Defense against APT requires a defense-in-depth strategy adapted to energy sector specifics.
Zero trust architecture for OT — every access to OT systems requires multi-level authorization. OT network microsegmentation with control at the individual controller level. Elimination of default passwords and shared accounts in industrial systems.
Supply chain management — verifying security of OT software and firmware suppliers. Digital signing and integrity verification of updates. Isolated test environment for new controller software versions.
Security awareness for OT — dedicated training for OT engineers and energy system operators. Phishing simulations with industry context. Procedures for verifying remote commands and configuration changes.
Purple Team exercises — regular APT attack simulations on energy infrastructure involving red team (attackers) and blue team (defenders). Testing detection, response, and recovery procedures. Verifying IT/OT segmentation against real lateral movement techniques.
How nFlo supports APT defense
nFlo has experience protecting energy infrastructure against advanced APT threats.
OT/ICS security audits identify APT entry vectors, assess IT/OT segmentation quality, and test resilience against lateral movement techniques used by groups like Sandworm and Volt Typhoon.
SOC as a Service provides continuous monitoring using threat intelligence dedicated to the energy sector. IT and OT event correlation enables detection of early APT attack phases.
Red Team simulates tactics, techniques, and procedures (TTPs) of known APT groups, verifying security effectiveness in realistic energy infrastructure attack scenarios.
Incident Response ensures readiness when APT activity is detected — from forensic analysis to eradication and system recovery.
Schedule a free consultation — we’ll analyze your resilience against APT attacks.
Cybersecurity for Your Industry
Learn more about cybersecurity in your industry:
